CISA Advisory Warns of VMware Vulnerabilities That Allow Remote Code Execution
- Written by: Trevor Meers
A new federal advisory warns users of four VMware products to take immediate action on vulnerabilities that allow hackers to execute remote code.
The Cybersecurity and Infrastructure Agency (CISA) has issued an emergency directive ordering federal civilian executive branch agencies running specific types of VMware to update them immediately or remove them from networks. Private organizations should obviously assess their own risk with these products. CISA says the VMware products’ users should assume they’ve been compromised, disconnect the product from the network and start threat-hunting activities.
VMware, a subsidiary of Dell, offers virtualization and cloud computing software.
The May 18 CISA advisory responds to observed or expected exploitation of vulnerabilities in these VMware products:
- VMware Workspace ONE Access (Access) .
- VMware Identity Manager (vIDM)
- VMware vRealize Automation (vRA)
- VMware Cloud Foundation, vRealize Suite Lifecycle Manager (impacted VMware products)
Hackers can use the four vulnerabilities to execute remote code on a system without authentication; elevate privileges; and obtain administrative access without the need to authenticate. Hackers have already begun exploiting CVE 2022-22954 and CVE 2022-22960, and experts expect them to exploit the other two in the near future.
The links below provide details on the vulnerabilities and recommended mitigation steps:
- CVE 2022-22954
- CVE 2022-22960
- For details on detection methods and indicators of compromise for CVE 2022-22954 and CVE 2022-22960, consult this alert from CISA.
- CVE 2022-22972
While CISA’s emergency directive applies only to federal agencies, CISA Director Jen Easterly said, “We strongly urge every organization—large and small—to follow the federal government’s lead and take similar steps to safeguard their networks.”
Note that VMWare released updates for CVE 2022-22954 and CVE 2022-22960 in April, but threat actors reverse-engineered the updates within 48 hours and began exploiting the vulnerabilities. Experts expect threat actors to do the same with updates related to CVE 2022-22972 and CVE 2022-22973.
For guidance on how these vulnerabilities may affect your system, contact HBS today.